Sonatype Blog: Latest Posts

Nexus 1.3.3 Released: PGP Verification / Improved Interface

The Nexus 1.3.3 Pro release includes enhancements to allow validation of PGP signed artifacts, and block access based on the results of that check. This release also adds an enhanced set of capabilities and rules in the procurement suite. Download your free Nexus Professional Evaluation or Learn more about Nexus Professional today. Continue reading this post for more information about these new procurement features.

How Artifacts are Signed

Most artifacts being added to the Maven Central Repository these days are signed during the release process using the maven-gpg-plugin. The GPG plugin is an implementation of the PGP public-key cryptography algorithm. Artifacts are signed by calculating a hash of the artifact that is then encrypted with that user’s private key. This digitally signed hash is added to the repository along side the original file as an .ASC file.

Developers that sign public artifacts normally publish their keys to a public key server such as pgp.mit.edu. (you can see my key and the list of people that have signed it here).

Validating the signed artifact is done by inspecting the .ASC file to determine the key id used to sign the artifact. The key is then retrieved from a configurable list of public keystores (if it’s not already available in a local keyring), and the decrypted hash is then compared to the recalculated hash of the artifact. If they match, then you know the artifact hasn’t been tampered with or corrupted since the artifact was signed by this key.

Verifying PGP Signatures with Nexus Professional

Nexus is able to perform these signature checks on the fly via the Procurement support. Users are able to define rules based on the group/artifact/version (with wildcards) that tell Nexus how to handle the validation. This makes it possible to approve only artifacts with valid signatures and block those that are invalid. How to handle missing signatures is also configurable.

Although signatures have been available for artifacts in Central for quite some time, most people do not take advantage of them because the process to validate artifacts is cumbersome and manual. This Nexus support now makes it possible to further guard your builds against corrupted or intentionally tampered artifacts in an automatic and transparent way.

Future releases of Nexus will build upon the signature checking to provide the ability to scan entire repositories and report on the signature status, as well as manage the web of trust so that you can block artifacts signed by people you don’t yet trust.